Hired guns: Cyberwarfare and cyber-mercs

by Charles Jeter, ESET cybercrime investigator, January 06, 2011

Private military companies (PMCs) are migrating into the cybersecurity world at a rapid pace. Right now the defense of the nation's cyber-assets rests in the hands of cyber-PMCs. These cyber-PMCs don't hire gunslingers, instead they hire white hat hackers who pen-test with the best and defend our virtual frontier.

Taking a solid look at the defensive cyberwarfare duties may also include existing cyber-consultants or contractors for the military. This means that if cyberwarfare is now a reality, the category of private military company logically should apply to those responsible for both physical and cybersecurity in the first decade of the 21st century.

We can call it whatever we'd like, but Xe and Blackwater (both PMCs) had physical security duties of a defensive, not offensive nature, such as garrisoning outposts and personal protection of high-ranking civilians. You see where this analogy goes and I'd love to take your comments on this topic.

Repurposing existing talent: Partnerships

Going one step further – individual professional cyber-PMC members are also part of their local eCity. They eat, sleep, shop and live among the rest of us in places like San Diego, Seattle, Las Vegas and the Beltway. An eCity is easily described as the virtual and real world around us. A credit card purchase at a physical point of sale soars across the internet to arrive at another physical bank.

Because we're all interconnected and similarly affected by cyber disruption, it would be rare to find a cyber-PMC who doesn't understand the value proposition of protecting one's own community.

Channeling threat awareness into positive community participation rather than evil self-directed actions, such as Operation Payback, should be our collective goal. Instead of Hezbollah (a longtime PMC for Iran), we should imagine early Colonial America and the individual's participation in the defense of a new nation.

Minutemen of the 21st Century

The American Revolutionary War in the 1770s was fought by citizen soldiers. At a moment's notice day or night these individuals would drop what they were doing and form ranks to thwart attackers.

There is no reason why a defensive cyber perimeter can't be manned by watch-standers of this age. Yet as a corporate approach, this participation has risks to the individual unless corporations and government both support participation.

Here's one thought to ponder. The cyber-PMC member's knowledge and skills could easily be leveraged to form a regional defensive and educational structure on a Wikipedia level which could harden the target. Yet the solution of individual cybersecurity participation has a glass ceiling; right now if you're a cybersecurity professional, you're held to a higher standard than Joe Sixpack. And if you're highly successful, you're going to get crucified by your company more often than not.

Titan rain: Freelancing wins in court

One example is that individuals who may make a significant difference in thwarting events, such as Titan Rain, have been fired by their employers for their off-duty activities.

From Wikipedia about Shawn Carpenter:

His employment was later terminated when Carpenter disobeyed his management and communicated the information about the security breaches to the United States Army and the FBI. He was a confidential informant for the FBI for almost half a year before Sandia discovered his actions. Carpenter reportedly felt betrayed by the termination, as he viewed his actions were a service to his country, similar to that of his previous military service.

According to Carpenter, during his termination hearing at Sandia, Bruce Held, Sandia's Chief of Counterintelligence, yelled "[you're] lucky you have such understanding management... if you worked for me, I would decapitate you! There would at least be blood all over the office!"

To me this seems to be the equivalent of telling an 18th century Minuteman that he could shoot too well to be involved in defending the new nation. It's even more ironic when it was discovered during trial that Carpenter had discovered breached data from Sandia's parent company Lockheed Martin on a Korean server.

Security guru Ira Winkler had this to say about Shawn's actions five years ago:

According to Time magazine, Sandia Labs' counterintelligence chief wanted Carpenter severely punished. He was "concerned" that Carpenter disobeyed his superiors. From my thinking, this is akin to a store clerk running into the manager's office and saying that masked gunmen walked into the store, and the store manager punishes the clerk for not being at the cash register.

Call to action: Reverse this and play to our team's strengths

While courts later ruled that the corporation acted wrongly and a massive $5 million-plus judgment was awarded, the legal precedence is outweighed by the more Pyrrhic victory of corporate America.

Given the choice between an employer and the "right thing to do," who wants to lose a year or two of their livelihood just to ultimately win? Most people want to just go on about their day.

In order to meet the demand of a persistent threat from multiple determined warfare-minded parties, we must change our game as well.

Get SC Media delivered to your inbox

SC Media Featured White Paper of the Day

SC Media Newswire

SC Media Product/Industry Buzz

I would like to receive relevant information via email from Haymarket Media.

SC Media arms cybersecurity professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.